Privacy Statement

General Data Protection Regulation (GDPR) – 25th May 2018

This legislation replaces current data privacy law, giving more rights to you as an individual and more obligations to organisations holding your personal data. One of the rights is a right to be informed; this means we are committed to give you even more information about data we use, share and store your personal information.

This privacy notice was written with clarity in mind. It does not provide exhaustive detail of all aspects of how we collect and use personal information. If you require further details, we are happy to provide any additional information and explanation. Any requests for this should be sent to the address at the bottom of this webpage.

How we use your information

This privacy notice tells you what to expect when North West Hand Therapy (www.northwesthandtherapy.co.uk) collects personal information. It applies to information we collect about:

visitors to our website;

complainants and other individuals in relation to a data protection or freedom of information enquiries;

people who use our services, (eg who subscribe to our mailing lists or request a publication from us;

people who notify under the Data Protection Act;

Visitors to our website

When someone visits www.northwesthandtherapy.co.uk our servers collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site. This information is processed in a way which does not identify anyone. We do not make any attempt to find out the identities of those visiting our website. If we do want to collect personally identifiable information through our website, we will state this explicitly. We will be very clear when we collect personal information and will explain what we intend to do with it.

We also use WordPress Jetpack to help keep our site secure. Details of their privacy policy are here.

Jetpack Protect

Data Used: In order to check login activity and potentially block fraudulent attempts, the following information is used: attempting user’s IP address, attempting user’s email address/username (i.e. according to the value they were attempting to use during the login process), and all IP-related HTTP headers attached to the attempting user.

Activity Tracked: Failed login attempts (these include IP address and user agent). We also set a cookie (jpp_math_pass) for 1 day to remember if/when a user has successfully completed a math captcha to prove that they’re a real human. Learn more about this cookie.

WordPress.com Stats

Data Used: IP address, WordPress.com user ID (if logged in), WordPress.com username (if logged in), user agent, visiting URL, referring URL, timestamp of event, browser language, country code. Important: The site owner does not have access to any of this information via this feature. For example, a site owner can see that a specific post has 285 views, but he/she cannot see which specific users/accounts viewed that post. Stats logs — containing visitor IP addresses and WordPress.com usernames (if available) — are retained by Automattic for 28 days and are used for the sole purpose of powering this feature.

Activity Tracked: Post and page views, outbound link clicks, referring URLs and search engine terms, and country. When this module is enabled, Jetpack also tracks performance on each page load that includes the Javascript file used for tracking stats. This is exclusively for aggregate performance tracking across Jetpack sites in order to make sure that our plugin and code is not causing performance issues. This includes the tracking of page load times and resource loading duration (image files, Javascript files, CSS files, etc.). The site owner has the ability to force this feature to honor DNT settings of visitors. By default, DNT is currently not honored.

Use of cookies

People who contact us via social media

We use a third party providers (Facebook, Twitter, LinkedIn) to manage our social media interactions. You are advised to read the privacy policy of the relevant platform before you interact with us using social media. If you send us a private or direct message via social media the message will be stored for the required duration necessary by our professional bodies (http://www.hpc-uk.org/registrants/socialmediaguidance/ ). It will not be shared with any other organisations.

People who email us

We use Secure Socket Layers & Transport Layer Security (TLS) to encrypt and protect email traffic in line with UK government recommendations (https://www.gov.uk/service-manual/technology/using- https). If your email service does not support TLS, you should be aware that any emails we send or receive may not be protected in transit. We will also monitor any emails sent to us, including file attachments, for viruses or malicious software. Please be aware that you have a responsibility to ensure that any email you send is within the bounds of the law.

People who use our services

We offer various services to the public. We may use third party providers to process publication requests, but they are only allowed to use the information to send out the publications. We have to hold the details of the people who have requested the service in order to provide it. However, we only use these details to provide the service the person has requested and for other closely related purposes. For example, we might use information about people who have used our service to carry out a survey to find out if they are happy with the level of service they received. If people do subscribe to our services, they can cancel their subscription at any time and are given an easy way of doing this.

What will we do with the information you provide to us?

We will not share any of the information you provide with any third parties for marketing purposes or store any of your information outside of the European Economic Area. The information you provide will be held securely by us and/or our data processors whether the information is in electronic or physical format.
We will use the contact details you provide to us to contact you about changes to our services or matters that may affect you (e.g. if we need to cancel or change appointment times).

What information do we ask for, and why?

We do not collect more information than we need to fulfil our stated purposes and will not retain it for longer than is necessary.

You may also be asked to provide equal opportunities information. This is not mandatory information – if you don’t provide it, it will not affect your treatment. This information will not be made available to any staff outside of our team in a way which can identify you. Any information you do provide, will be used only to produce and monitor equal opportunities statistics.

Diagnosis & assessments

We will ask you to participate in assessments, questionnaires or a combination of these. Information will be generated by you and by us. For example, you might complete a written assessment and we will take notes about physical findings. We are obliged by professional bodies to retain medical records for 8 years.

Use of data processors

Data processors are third parties who provide elements of our service for us. We have contracts in place with our data processors. This means that they cannot do anything with your personal information unless we have instructed them to do it. They will not share your personal information with any organisation apart from us.
Microsoft Bookings (Diary system)
Square (Card payments)
Writeupp (Invoicing and note writing system)
Vodafone (Telephone)
Digitally Transform Me Ltd (Website & email)

Your rights

Under the GDPR (2018) & Data Protection Act (1998), you have rights as an individual which you can exercise in relation to the information we hold about you.

Complaints or queries

We try to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring it to our attention if they think that our collection or use of information is unfair, misleading or inappropriate. We would also welcome any suggestions for improving our procedures.
If you want to make a complaint about the way we have processed your personal information, you can contact us at the address below.

Access to personal information

We try to be as open as it can be in terms of giving people access to their personal information. Individuals can find out if we hold any personal information by making a ‘subject access request’ under the Data Protection Act 1998. If we do hold information about you we will:

give you a description of it;

tell you why we are holding it;

tell you who it could be disclosed to; and

let you have a copy of the information in an intelligible format

To make a request to us for any personal information we may hold about you, will ask that you put the request in writing addressing it to our Information Governance department, or writing to the address provided below.

If you agree, we will try to deal with your request informally, for example by providing you with the specific information you need over the telephone.
If we do hold information about you, you can ask us to correct any mistakes by, once again, contacting our Information Governance department.Disclosure of personal information
In many circumstances we will not disclose personal data without consent. However when we investigate a complaint, for example, we may need to share personal information with the other organisations concerned and with other relevant bodies. Further information is available (upon request) about the factors we shall consider when deciding whether information should be disclosed.

You can also get further information on:

agreements we have with other organisations for sharing information;

circumstances where we can pass on personal data without consent for example, to prevent and detect crime and to produce anonymised statistics;

our instructions to staff on how to collect, use and delete personal data; and

how we check that the information we hold is accurate and up to date.

People who make a complaint to us

When we receive a complaint from a person we make up a file containing the details of the complaint. This normally contains the identity of the complainant and any other individuals involved in the complaint.

We will only use the personal information we collect to process the complaint and to check on the level of service we provide. We do compile statistics showing information like the number of complaints we receive, but not in a form which identifies anyone.

We usually have to disclose the complainant’s identity to whoever the complaint is about. This is inevitable where, for example, the accuracy of a person’s record is in dispute. If a complainant doesn’t want information identifying him or her to be disclosed, we will try to respect that. However, it may not be possible to handle a complaint on an anonymous basis. As members of professional bodies, we have a duty to inform about certain complaints.
We will keep personal information contained in complaint files in line with our retention policy. This means that information relating to a complaint will be retained for two years from closure. It will be retained in a secure environment and access to it will be restricted according to the ‘need to know’ principle.
Similarly, where enquiries are submitted to us we will only use the information supplied to us to deal with the enquiry and any subsequent issues and to check on the level of service we provide.

Links to other websites

This privacy notice does not cover the links within this site linking to other websites. We encourage you to read the privacy statements on the other websites you visit.

Changes to this privacy notice

We keep our privacy notice under regular review. This privacy notice was last updated in June 2018.